US2026019277A1PendingUtilityA1

Caller process verification for device-bound authenticators

78
Assignee: OKTA INCPriority: Apr 28, 2023Filed: Sep 19, 2025Published: Jan 15, 2026
Est. expiryApr 28, 2043(~16.8 yrs left)· nominal 20-yr term from priority
H04L 9/3271H04L 9/0825H04L 9/3247G06F 21/44H04L 63/0823
78
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Methods, systems, and devices for process verification are described. An authenticator application of a device may receive, from an authenticating application of the device, a first request to establish a network connection between the authenticator application and the authenticating application. The first request may identify a port associated with the network connection. The authenticator application may receive a second request from the authenticating application to authenticate an identity of a user. The authenticator application may identify a process used to establish the network connection between the authenticator application and the authenticating application on the port. The authenticator application may obtain a signature and a set of data associated with the signature based on the identified process. The authenticator application may authenticate the identity of the user based on the signature and the associated set of data.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method for process verification at a first application of a device, comprising:
 receiving a first request to establish a network connection between the first application and a second application, wherein the first request identifies a port associated with the network connection;   receiving, via the network connection, a second request to authenticate an identity of a user of the second application via the first application; and   obtaining a signature and a set of data associated with the signature based at least in part on a process used to establish the network connection between the first application and the second application, wherein the process is based at least in part on the port, and wherein authenticating the identity of the user is based at least in part on the signature and the set of data associated with the signature.   
     
     
         2 . The method of  claim 1 , further comprising:
 determining that one or more non-authentication processes have one or more connections established on the port; and   blocking, based at least in part on the one or more connections established on the port, authentication requests from the first application.   
     
     
         3 . The method of  claim 1 , further comprising:
 establishing one or more ports for inbound network connections and outbound network connections, wherein the one or more ports comprise the port that is associated with the network connection; and   querying a connection table to identify an outbound connection associated with the process with the port.   
     
     
         4 . The method of  claim 1 , further comprising:
 determining that the second application is signed, wherein obtaining the signature is based at least in part on determining that the second application is signed.   
     
     
         5 . The method of  claim 1 , further comprising:
 determining, based at least in part on the set of data, whether the second application is authorized to request authentication of the identity of the user via the first application, wherein the second request is received from the second application; and   authenticating the identity of the user based at least in part on the determination.   
     
     
         6 . The method of  claim 5 , further comprising:
 identifying a source of the second application based at least in part on the set of data, wherein determining whether the second application is authorized to request the authentication of the identity of the user is based at least in part on the identified source.   
     
     
         7 . The method of  claim 6 , further comprising:
 determining a level of legitimacy of the second application based at least in part on the identified source, wherein determining whether the second application is authorized to request the authentication of the identity of the user is based at least in part on the determined level of legitimacy.   
     
     
         8 . The method of  claim 6 , further comprising:
 determining an association between the identified source and a set of authorized sources or a set of unauthorized sources, wherein determining whether the second application is authorized to request the authentication of the identity of the user is based at least in part on the determined association.   
     
     
         9 . The method of  claim 5 , further comprising:
 receiving an indication of a configuration for authenticating the identity of the user, wherein determining whether the second application is authorized to request the authentication of the identity of the user is based at least in part on the configuration.   
     
     
         10 . The method of  claim 9 , wherein receiving the second request comprises:
 receiving, via the network connection, a message comprising the indication of the configuration and an indication of the second request, wherein the second request comprises an authentication challenge, and wherein the configuration and the authentication challenge originated from an authentication service associated with the user.   
     
     
         11 . The method of  claim 10 , further comprising:
 verifying a second signature of the message based at least in part on a public key associated with the authentication service, wherein use of the configuration to determine whether the second application is authorized to request the authentication of the identity of the user is based at least in part on verifying the second signature.   
     
     
         12 . The method of  claim 9 , wherein:
 the set of data comprises one or more types of data, and   the one or more types of data are based at least in part on the configuration.   
     
     
         13 . The method of  claim 1 , further comprising:
 transmitting, to an authentication service associated with the user, a message comprising an indication of the set of data, wherein authenticating the identity of the user is based at least in part on transmitting the message to the authentication service.   
     
     
         14 . The method of  claim 13 , wherein:
 the second request comprises an authentication challenge originating from the authentication service, and   the message comprises the indication of the set of data and a response to the authentication challenge.   
     
     
         15 . The method of  claim 1 , wherein obtaining the set of data comprises:
 obtaining the set of data from an operating system of the device, an authentication service associated with the user, or a third-party application, or any combination thereof.   
     
     
         16 . The method of  claim 1 , wherein obtaining the set of data comprises:
 obtaining data indicative of a location of code associated with the second application, data indicative of a name of the second application, data indicative of a name of a file comprising the code associated with the second application, data indicative of a process identifier corresponding to the process, data indicative of a version associated with the second application, data indicative of a level of integrity associated with the signature, data indicative of a validation status associated with a certificate chain of the signature, data indicative of a distinguished name corresponding to the signature, data indicative of a key identifier corresponding to the signature, or any combination thereof.   
     
     
         17 . An apparatus for process verification at a device, comprising:
 one or more memories storing processor-executable code; and   one or more processors coupled with the one or more memories and individually or collectively operable to execute the code to cause the apparatus to:
 receive a first request to establish a network connection between a first application and a second application, wherein the first request identifies a port associated with the network connection; 
 receive, via the network connection, a second request to authenticate an identity of a user of the second application via the first application; and 
 obtain a signature and a set of data associated with the signature based at least in part on a process used to establish the network connection between the first application and the second application, wherein the process is based at least in part on the port, and wherein authenticating the identity of the user is based at least in part on the signature and the set of data associated with the signature. 
   
     
     
         18 . The apparatus of  claim 17 , wherein the one or more processors are individually or collectively further operable to execute the code to cause the apparatus to:
 determine that one or more non-authentication processes have one or more connections established on the port; and   block, based at least in part on the one or more connections established on the port, authentication requests from the first application.   
     
     
         19 . The apparatus of  claim 17 , wherein the one or more processors are individually or collectively further operable to execute the code to cause the apparatus to:
 establishing one or more ports for inbound network connections and outbound network connections, wherein the one or more ports comprise the port that is associated with the network connection; and   querying a connection table to identify an outbound connection associated with the process with the port.   
     
     
         20 . A non-transitory computer-readable medium storing code for process verification, the code comprising instructions executable by one or more processors to:
 receive a first request to establish a network connection between a first application and a second application, wherein the first request identifies a port associated with the network connection;   receive, via the network connection, a second request to authenticate an identity of a user of the second application via the first application; and   obtain a signature and a set of data associated with the signature based at least in part on a process used to establish the network connection between the first application and the second application, wherein the process is based at least in part on the port, and wherein authenticating the identity of the user is based at least in part on the signature and the set of data associated with the signature.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.